Good for him....
....if a jobs worth doing, do it right. I admire his 'in for a penny, in for a pound' ethics.
Paris, 'cos she knows all about doin' it right.
San Francisco’s officials were squirming with embarrassment today as it emerged that they are still paying the salary of the banged-up sysadmin accused of locking down the city’s IT network and refusing to divulge the password. The City has been forced to call in help from Silicon Valley, including engineers from Cisco, to …
>> San Francisco’s officials were squirming with embarrassment today as it emerged that
>> they are still paying the salary of the banged-up sysadmin accused of locking down the
>> city’s IT network and refusing to divulge the password.
I thought it was standard practice to suspend staff on full pay until they have had chance to argue their case. Innocent until proven guilty and all that.
>> According to the Chron, he was convicted of aggravated robbery and aggravated burglary
>> charges dating back to 1982, and was on probation or parole until 1987. Childs
>> apparently disclosed his convictions to the city when he applied for his job five years ago.
Whats embarrassing about knowingly employing someone who was convicted 20 years ago, who hasn't been involved with the penal system for 15 years?
"At least Newsom identified what makes BoFHs run amok: "He was very good at what he did, and sometimes that goes to people's heads and we think that's what this is about."
Well I never. Who would ever have thought IT? What is it he is doing ...."aggravated robbery and aggravated burglary"? He does have Phorm and Hosts a Conviction although that is not necessarily to say that he has fallen again into the Selfish Honey Trap.
"though it says they will convene a meeting on whether Childs should be place on “unpaid leave”, possibly as early as this Thursday."
So let me get this straight, you ask someone to leave their post for insubordination, they lock you out of the system causing a huge cost to fix it, he goes to jail, you continue to PAY him, then you go to "Convene a meeting" to stop paying him...
"Nothing dramatic has changed in terms of our ability to govern the city," Damn right, you couldn't manage a piss up in a brewery.
Mine's the one with the master password in the coat pocket.
> Innocent until proven guilty and all that.
Well, a sysadmin refusing to unlock a mission critical system to allow maintenance could very well be said to be in dereliction of his duties. Unpaid leave would be a very mild sanction to apply in that case. Personally I'd apply other methods, a bit more BOFH-like, to get that password. But that's just me.
He had admin privileges. He had access to pay role data as well as sensitive info. He could have done a lot worse than just lock out the system. Wiping it for one
Lets not forget it will present real life difficulties for some people seeking access to certain data. Although that said, it may affect the speed of the cities bureaucracy....... by about 10 minutes
>>> I thought it was standard practice to suspend staff on full pay until they have had chance to argue their case. Innocent until proven guilty and all that.
Err - what with him being jailed and all, I suspect he's now been found GUILTY?
----------------------
If the loss of access to this all-encompassing system has "not affected their ability to govern the city", then WTF was it doing when it WAS working???
Come people, you read El Reg therefore have *some* intelligence. He has been *accused* of these things, not *convicted* of them. He gave them passwords, but they didn't work. Stop assuming he did all this, no matter *how* likely it seems according to the media. It is possibly a frame-up, or possibly he is guilty. He should not have his pay stopped until or unless he is found guilty, and he should not be assumed guilty without evidence.
Do any of you actually *know* what this "insubordination" was? In my experience, some moron managers will try and get you fired because you don't ask how high when they say jump, and it rarely hurts their employability even if it is found later that had you jumped the whole house of cards would have collapsed, and you actually saved everybodies jobs by refusing. Not all managers are twats, but there are certainly many that are.
When you know the *full facts* of this case, *then* and *only* then, make a judgement. Idiots.
Well, I'm sure the taxpayers who funded this system are happy with that. Or do they mean "we can maintain the same amount of control we had before this new system"?
Also, if this was the BOFH then the security manager would have accidentally fallen down the stairs due to his own stupidity in tying his shoelaces together and cattle-prodding himself in the arse. You know what these manager types get up to...
There's a time to take a stand and there is a time not to take a stand.
"he was convicted of aggravated robbery and aggravated burglary charges dating back to 1982"
If these count as separate felonies isn't it "3 strikes and you're out" in California?
Personally I wouldn't want to spend 30 years in prison over a work dispute
So, it will probably be a complete reinstall, which is why the figure will be so large, plus they will have to check the data integrity. In fact it will be harder than when they moved off the old system, which is where the 8 months figure is probably coming from.
The security guy though, what a tosser, not only has this demonstrated he did not know what he was doing, he also aggravated the situation thereby being part responsible for the breach. Granted he may not have broke into the system, but his arse should be canned over this.
It is a clash of egos that causes these problems, and the security guy was probably barking orders; Cartman syndrome style 'You will respect my authority'. The security guy called the situation wrong, had his little shorts around his ankles, and got involved in a matter of ego.
IT security needs to have ice water running through their veins, and be as cool as the proverbial cucumber, this security guys obviously neither knew the technology, or how to handle security situations, his arse should be canned over this as well.
But the right move would be to bring in an outside security consultant, who will manage the handover from the current one, and then the old incompetent security guy should be shown the door, with a few months salary to keep him sweet. The guy was an idiot, but also an unlucky one.
@Louis
The whole "innocent until proven guilty" only applies in a court of law. The concept of "presumption of innocence" only applies to the members of the jury in that court of law. Sure, it's a great idea, and it would be a better world if everyone followed the concept of presumption of innocence.
However, it's not a perfect world. As such, we, the members of the general public, are under no obligation to grant the presumption of innocence to the accused. We are free to make any assumptions, we are free to decide guilt or innocence for whatever reason we want, using little or no factual information. We as the general public can decide that he is guilty because the great flying spaghetti monster told us he was guilty.
Or whatever weird spelling they choose to go by these days.
We're always reading of systems being compromised in like 4 minutes, or penetration testing being too easy.
Why are they wasting time trying to get the password out of the guy, surely they should just get in a 14 year old, bored teenager with something to prove, sit him down at a terminal and tell him under no circumstances is he to hack into the system, that should get you access again in no time.
Having been dismissed from a job for insubordination (which was a trumped up charge, I might add- I was one of the vocal group of employees which was asking for an increase in travel reimbursement from the 20 year old standard which was being paid, which did not cover the running costs for our vehicles), the only thing it means anything to is the unemployment office when you go to file.
I will grant you that I probably did not get a few jobs because of that company, but I managed to do ok despite that little issue.
As for the dude still getting his salary- it's probably standard procedure with government jobs, depending upon how high up on the food chain he was.
I'm trying to be nice here. I really am.
@ Tom Kelsall
He's being held on remand in lieu of $5m bail. It says it in the article. If you don't know what "remand" is, there are lots of places you can find out.
@ kns2c
Pittsburg, CA is a real place: http://www.ci.pittsburg.ca.us/pittsburg/
Pittsburgh, PA is also a real place, but, amazingly, a completely different one.
Frankly, I'd rather live in a society that forgives and forgets once a convicted criminal has done his time, rather than one that tattoos FELON on the forehead (figuratively speaking at the moment, but wait until Jacqui hears about it).
Sure, from time to time another crime will be committed by a convicted felon, but hey! crimes get committed by lots of people who've never transgressed the law before.
El Reg readers need to know that in the US, depending on the state, convicted felons can't own real estate, can't vote, and are subject to a variety of other permanent legal disabilities. It's medieval, in my opinion.
As for what triggered the alleged outrage, keep in mind that management ranks most everywhere are filled with socio- and psychopaths, with a sprinkling of plain ol' scum. Once one of these types reaches the top, the lower reaches of management quickly fill up with similar types, making for an impossible working environment.
There's such a thing as too much touchy-feeliness (cue NuLab), but I'd rather have a flock of fuzzies over me than lying, exploitive, manipulative jerks with zero empathy for anyone but themselves.
Maybe the thing to be surprised at isn't that this incident happened but, rather, that similar incidents don't happen a lot more often.
Mr. Ballmer because his outbursts are suggestive . . .
They re-elected the mayor who caused all the fire damage after that earthquake a hundred years back. They really know how to handle petty criminals over there.
What they really need is for some way that they can elect this guy.
Wait... e-ballots.
OK!
Nice one. And he should get a nice bonus from ..wassaname of them vote fixers... Bush.. no.. Die something... Dyebush. That's it.
You are the only one with admin passwords
A senior manager sacks you and you're escorted off the premises
He realises the ex employee is the only one with a password and demands it, threatening all sorts.
The ex employee feels no obligation to help and says he will invoice for his time at $X per hour to help them.
The council get him arrested, because, face it, if SF is on it's knees, they can do that.
He is given high bail because he has done nothing wrong, and is perfectly entitled to leave for a holiday.
All the rest - locking out of systems etc just sounds like the senior manager's story to me...
I bet Mr Childs is rather hoping for an inquiry... and he may be wrong or right but good on him for facing down the bullies.
They essentially said, "We can do it without you, goodbye." To which he replied, "OK, I'd like to see you try!" Behold! They are having great difficulty doing it without him.
You harass the sysadmins and you get bent over a barrel.
You harass kids in school and they show up with guns for a massacre.
It seems the message being sent is a confusing one in regards to "When is it OK to seek revenge for being wronged?"
This is what happens when people do not respect each other. While John has the capability to fire Jack, John is also at the mercy of Jack because John (and in some cases John's company) is at the mercy of Jack. The people who make sure things work deserve much respect, just as anyone else who is correctly doing their job deserves respect.
It isn't wise to hit someone who can hit you back harder, especially if you don't know if they are likely to even hit you back at all.
For you people saying that San Francisco should withhold his salary because he's in dereliction of his duties, you are assuming that:
1. He knows the master password.
2. He created the master admin system in the first place
3. Even if he did create the master admin system and password, someone else may have tampered with both and then framed him or offered him up as a scapegoat.
4. That the authentication system has not gotten corrupted or broken down somehow.
Now I imagine the cops have probably got the right guy, but I don't KNOW that and it hasn't been proven in a court of law.
Paris, because I'm sure she's guilty of a lot of things and she knows a bit about life in the lockup...
Gee it would be nice for him if it were that simple, but according to what I read in the papers the lad is charged with a little more than being fired. It is alleged he purposefully locked out accounts not his own, set things up so ONLY HIS account can maintain the system, and is evidently not cooperating.
For those who think this is funny, if something breaks and can't be fixed (due to no-one having necessary access) it is possible things like the 911 system, the hospital records, the fire department communication system might become inoperable. I don't know, since that level of detail isn't being discussed publicly.
But to suggest this little sh!t is somehow a noble employee standing up to the big bad employer, when he's potentially putting public safety at risk is a little too precious for me.
I consider him no better than a kidnapper who refuses to reveal where he is keeping the victim. His lawyer (on the city payroll for Gate's sake!) needs to convince him he's better off fixing it now rather than later, when things might get uglier.
Ferchrissakes, that's Steve "The Messiah" Jobs, not Steve "Fscking kill" Ballmer. It's bloody obvious to anyone with the i's to see. Yes, they both have an over-inflated notion of their own worth but they really are different people. For a start, it is rumoured that Ballmer sweats more, although you can't see soggy armpits on a black turtleneck, and I've never yet seen Jobs impersonate a demented chimp at a keynote, although he does a very creditable impression of an annoyed silverback (with very expensive lawyers) if you dare to take the piss out of him (I'm immune; I'm nobody whose opinion matters, so I slip beneath the RADAR).
Jobs because, well, just because, OK? El Reg, can we have a flying chair icon or something to stop this insanity? Just take the black helicopter icon, remove the chopper and put an office chair in there. That'll do the job (er, Ballmer) and it may just become an ISO standard or something for insane CEOs' office doors.
El Reg readers need to know that in the US, depending on the state, convicted felons can't own real estate, can't vote, and are subject to a variety of other permanent legal disabilities. It's medieval, in my opinion.
Um thats not quiet right. No state will prevent you from owning land.
In most states being a convicted felon bars you from voting . Cant own a fire arm or be a corporate officer of a public company. There are two states that do allow convicted felons to vote and one that allows them to vote in prison. You can go to court and get your civil liberties re stored and then you can vote and own a gun.
Currently Florida seems to be the only state that seems to refuse to do this.
"But to suggest this little sh!t is somehow a noble employee standing up to the big bad employer, when he's potentially putting public safety at risk is a little too precious for me."
*applauds*
He's acting like a complete cock. And I'd bet a serious amount of money that he acted like an egotistical cock in the job as well as now he has been fired from it.
He is an employee, he isn't a bloody God. And if he was paid $126,000 a year, he wasn't exactly being treated like scum either.
The guy reminds me quite a lot of the Dennis Nedry character in "Jurassic Park", played by Wayne Knight (Newman, from "Seinfeld") ... the guy who stole the dino embryos ... freakishly impressed with his own brilliantness and disdainful of everyone else.
Anyway ... he's in violation of a bunch of Federal and State laws on this one (four felony counts of computer tampering). For starters, the computer network is not his property ... he's an employee who has no right to keep the owners of the system from accessing it. In addition, as one poster mentioned above, he could easily be putting the public at risk by restricting full access to the public emergency response system.
From InformationWeek:
"Childs' problems with the department got serious June 20 when he started taking photographs of the agency's new head of security after she began an audit of who had password access to the system ... Childs' frightening behavior prompted the woman to lock herself in an office ... His supervisors' concerns grew when they discovered he had given himself exclusive access to the system and had developed a way to spy on his bosses' e-mails related to his conduct."
And for those of you who have commented on the idea that he may be tortured for the access info because (a) you love the idea of the US torturing people and (b) you think he's not eligible for such treatment because he's a US citizen ... (a) who doesn't love that idea? and (b) being a US citizen hasn't stopped the Bushies from torturing before, and wouldn't stop them in this situation, except that he's not an "unlawful enemy combatant" in the "War on Terror".
not from what most can make out - it is the admin access. If they need to use the admin accounts they cannot, but normal users are probably still active.
They are rooted, and locked out of admin control of their system, who knows what it is doing, no one can really monitor it. They could move stuff off gradually, get priority systems routing through another system, all of it costs money though, and probably some downtime.
At a guess he probably wouldn't have given the wrong access deliberately, unless repeated unsuccessful access trips something, dropping access until an admin password is given perhaps. If not then they should brute force around the access code he has given.
recovering or enabling access to this sort of system if you have physical
access to either the box or the RADIUS/TACACS+ system that deal with access is childs play.
hey! SF, pony up the dough and i'll visit for a week or so to clear this up for you...and even install a couple of special interlock systems to ensure that no such unregulated access/changes happen again. all from best practice Cisco guides too.
just reply....
When I posted my earlier comment, I had misread the article. I made a mistake based upon that misreading. I make no apology for that because I'm fucking human. That does not make me an idiot and it does not mean that I don't know, or can't look up, the meaning of a simple word. So, Gianni and Louis; fuck off.
Hello ... welcome to 21st century.
If you are suspended from work with no immediate evidence of wrong-doing you are suspended on FULL PAY. Got that?
At the moment he is “accused” (do you know what that means?) of wrong-doing. Until his case is heard he is INNOCENT (even if in actual fact he may not be).
I WOULD EXPECT AND DEMAND NOTHING LESS from an employer.
Tom, you were *replying* to someone saying he hadn't been found guilty, and that he hadn't yet argued his case.
It takes a fairly big misreading of the article to still be confident enough that he'd been found guilty to reply to someone like you did without double-checking the article first.
Not in the universe I live in. If my employer thinks I've maliciously damaged something that doesn't belong to me, I'm fired. The fact that there's also criminal prosecution doesn't mean I can hang around until the wheels of justice complete their majestic journey.
The fact that in this case the employer and the entity doing the prosecution doesn't change things... the City and County of San Francisco (yes, it's both things, somewhat unique that) is both the empoyer and the prosecuting entity. As an employer it has the right (subject to civil service regs) to take action as an employer.
And where do you get "no immediate evidence of wrong doing?". Even his lawyer isn't claiming that.
Some years ago as a SysAdmin on a Linux contract with sensitive data, we put in place a system to detect a specific password and wipe the sensitive data when it's given.
To be used if/when the user is logging in "under duress". i.e. gun to head kind of thing.
Wonder if this Terry Childs guy had the same kind of thing in place, and gave them the duress password?
Without more details of what is going on, it is hard to judge how serious his actions are. I remember an incident many years ago which almost cost the company I worked for access to our Novell NDS. The NDS was configured with an admin account that had full privileges and a safety account that was fully locked down, except for access to the admin account to reset the password. The safety account had a password that was written down, sealed in an envelope, and placed in a safe. No-one was authorised to use the safety account on a routine basis, and if anyone logged in, a warning e-mail was issued out to management (including me). Our 2 main sys-admins (and the only people at the time with access to the main admin account) both quit, and whilst they were on their notice, I made a test to make sure we could take control of the network. What I discovered was that the sys-admins had made a subtle change to try and screw us (all this discovered from audit trails after the discovery). They had changed the safety account to have an expiring password. That password had already expired, and we couldn't get in. The other sealed envelope in the safe with the password to the main admin account had an out-of-date password in it. That night, along with another member of my team, we actually got into the system via a backup server account which was badly configured (long story here) and changed all the passwords after confirming in the audit logs what these sys-admins had done. I then told the SAs the following morning to go on gardening leave, and escorted them off the premises.
I have no idea whether this SA is guilty or not, in fact I don't really care. But I thought an informed set of people like Reg readers would realise that the technicalities behind the case are never as simple as the press makes out, or the police tell us.
No - it takes a "skim read" of the article while at work and then a piecemeal, bit by bit in-between-work reading of the comments to misconstrue what had happened so far.
@Greg Fleming - was that directed at me? I've just explained my position on that and I extend my "greeting" to Gianni and Louis to you too. If it was not directed at me then please accept my apologies and move along please, nothing to see here.
if someone allowed him to take control of the system, it sounds like there are few checks-and-balances and probably a spineless boss. I have seen several instances of sysadmins empire-building and ring-fencing resources in the organisation, and the boss is too scared to argue with them or "take them on".
I recall one particular SAP Basis Administrator who refused to divulge a critical process to her supervisor (me) that was needed to be shared amongst the team. My invertebrate manager refused to back me and it took the Head of Department (2 steps above me) to get this woman to release the information.
He could have looked forward to suspension on full pay for a good few years while investigations proceed at the sort of pace that makes glaciation look like Formula 1 motor racing. Then, in the fullness of time when it looks like TPTB might actually get around to taking some sort of action, he would get to take early retirement.
One day someone will explain to me exactly how a long holiday followed by an index-linked pension and a lot of brushing the mess under the carpet is supposed to deter anyone else thinking they can get away with it....
A few points..
He gave them the password.! Who's to say that was not the correct one and someone else has changed it? Hmm? eh? I read reports ages ago that US institutions were under constant hack attack from China. It was only a matter of time before something like this happened. Given that the hardware and firmware are probably engineered in China, who's to say there isn't some sort of secret back door?
What on earth was he doing working on his own? Sysadmins at this level should work as a team.. Cost cutting by city officials?
The BURNING question still remains..
Where the hell was the PFY when all this was happening?
I am scandalised that you take time out from reading The Register to do some work. That really is indefensible.
Anyway, I wonder why they set bail at $5m. Seems a bit steep for computer tampering. Maybe they were afraid he'd go to Starbucks, log in and wreak more havoc, though to do that would be pretty stupid while awaiting trial.
Fuck off yourself, fool. If you genuinely feel you are intelligent enough and inclined enough to comment on an El Reg article, I suggest reading it first. As another commenter put it so succinctly -
"Tom, you were *replying* to someone saying he hadn't been found guilty, and that he hadn't yet argued his case.
It takes a fairly big misreading of the article to still be confident enough that he'd been found guilty to reply to someone like you did without double-checking the article first"
Also, get off your high horse and stop thinking you are actually important enough that I would address my comments specifically to you (notwithstanding this one). Many people commented with things amounting to "lock him up and throw away the key". I refer you back to my original comment, and several similar by others since - "He has been *accused* of these things, not *convicted* of them" and I am tired of the "hang 'em and flog 'em brigade", when it has been proven, consistently, and over time, that violence begats violence, and treating people like criminals turns a large proportion of them into criminals. Give people a decent education and a proper appreciation for each other, and life in general, and many of the problems in societies around the world fall. There are exceptions to every rule - psychopaths and sociopaths are numerous, just to name a few - but I find if you give respect, you get it. If you are a rude, ignorant twat who cannot even bring himself to accept he fucked up, then expect to be abused.
Idiot.
RW, you state in your post:
Sure, from time to time another crime will be committed by a convicted felon, but hey! crimes get committed by lots of people who've never transgressed the law before.
First , I am not sure where you get your statistics "from time to time". Actually it is close to a third of violent criminals that will end up back in prison on another charge within 3 years of their release. (source http://www.ojp.usdoj.gov/bjs/reentry/recidivism.htm).
As indicated in the stories about this incident, allegedly he has once again committed another felony by changing the credentials needed to access the systems and refusing to supply it. Whatever the twisted logic is behind his actions, he is still violating the law by "stealing" access to the systems.
If I had to count how often this kinda shit happens, I'd be too damn busy to bill for it.
I have a consulting business and many of my clients have been in this situation as they never asked their employees, previous employees, or contractors for the passwords. In most cases someone set something up and neglected to document.
I recently picked up a "customer" whose previous computer consulting company was a "bunch of idiots," per the business owner. He proceeded to tell me they had done shitty work, which is why they were working with me, and they hadn't paid them. So after 45 hours of work I performed, including hacking my way into their firewall (they didn't know the password and the previous company wouldn''t divolve), I fixed all the minor fixes they needed and made some vast improvements.
Much to my suprise when they also refused to pay me and are currently onto another consulting company. I called their previous company and they relayed a similar story which they had come in for a week or two of work...which was to replace the previous "shitty company." So, when the new company called me to get the passwords...I told them to run away before they wasted time and were fruitless in their work. Needless to say, I still have the password, and I don't care if they got in or not. I haven't been called or contacted by this "non-paying" company.
On the flip side, I would assume Terry probably has a shitty moron boss who didn't think to get the password to "job share" a new guy or to allow this guy to take a vacation. If his manager was too inept to get this password before letting him go, the manager should also be let go for being an innept moron! The "devised a way to spy on email" bit the media is pushing is again ill-informed. Use Ethereal, its a free tool to monitor the traffic on the network. Amazingly email and most other traffic comes across in clear text. This is not magical, or malicious. The guy was probably doing his job, by watching traffic and this manager is simply trying to Cover his Ass. He probably fears, he was watching email and a simple network monitor program is his out to his more innept upper management.
Go Terry! We know you didn't disable accounts, there probably were no other accounts with <root> access. Its just good to know we are more feared than murderers or rapists in SanFranFreako! I guarantee if this guy was smart he saved every email his boss sent and will make the SanFran government look like the fools they are.